[UCIMC-Tech] Re: Google via IMC wired ethernet [was: bikeproject
computer]
Josh King
joshuaheretic at gmail.com
Fri Sep 5 16:43:01 CDT 2008
Hi Barry,
I'm finishing up the third of three major non-IMC projects this weekend,
after which I'll have more time to devote to infrastructure upgrades to
the IMC. You should hopefully be able to overcome that issue on a Linux
machine by adding:
net.ipv4.tcp_window_scaling = 0
To the /etc/sysctl.conf file. I'm not sure what the equivalent directive
is on a Mac, as I haven't gotten any reports until now of that problem
existing with Macs. I'll keep you updated as things progress.
Barry Isralewitz wrote:
> Hi Josh,
>
> How goes the UCIMC firewall alterations? Do you know about when
> the'll be done, and we'll have access to Google sites? I saw the same
> "everything works except Google" problem with my Mac OS 10.4 laptop
> using the UCIMC wireless network, in Room 24 last night. I don't see
> this problem anywhere else with my laptop..
>
> Details:
> Just like with the Bike Project BSD machine,
> every site worked except for Google sites, and sites that halted waiting
> for googlesyndication.com and Google metrics.
>
> My laptop has been on scores (hundreds?) of wireless networks, UCIMC
> is the only place where I've seen "everything works except Google".
> Since this is a public wireless network, it should probably work with
> standard configuration machines.
>
> As I might have told you earlier, Bike Project is relying incresingly
> on an external wiki which uses googlesyndication, so works everyhwere
> except in Bike Project (using local Mediawiki would be better, yes), and
> have lots of call to access Google mail and Google docs.
>
>
>
> Cheers,
>
> Barry
>
> On Tue, Sep 02, 2008 at 03:36:20PM -0500, Barry Isralewitz wrote:
>> Hi Josh,
>>
>>
>> On Wed, Aug 06, 2008 at 10:38:34AM -0500, Josh King wrote:
>>> Hey Barry,
>>>
>>> Oh, it is most definitely a problem with the firewall. The thing is,
>>> it's not something that can be fixed without overhauling the operating
>>> system on the firewall. The whole thing is actually symptomatic of an
>>> obscure bug in the way that OpenBSD (which is on the firewall) and Linux
>>> (and apparently FreeBSD, judging from your computer), interact when
>>> managing TCP/IP streams.
>> Okay, I will try and get Ubuntu installed on the Bike Project machine
>> shortly -- I've been meaning to do this for a while for unreleated
>> reasons.
>>
>> After I install the Ubuntu machine, will I have to make any changes to
>> allow it to work with the wired building network? Are there any recent
>> firewall changes that happened at end of August 2008 (last few days)
>> that I should know about?
>>
>> Observations:
>> I last week witnessed Ubuntu machines in IMC (one upstairs in the
>> Production Room) reach Google without trouble. On the other hand, I do
>> see non-BSD machines in basement ('computer lab' Ubuntu, laptops connecting over
>> basement wireless) having trouble reaching Google / not reaching Google
>> at all.. Bike Project machine still not reaching Google, when I last
>> checked on Friday, Aug. 29.
>>
>>
>> Cheers,
>>
>> Barry
>>
>>> The thing is, it's a super-easy fix on a linux
>>> system to get it to work right with our firewall (adding
>>> net.ipv4.tcp_window_scaling = 0 to the /etc/sysctl.conf file) but a
>>> super-hard one to fix on the firewall itself. All the workstations and
>>> public access terminals in the building already have that fix set up,
>>> and the problem doesn't even seem to effect most computers. I've just
>>> never had to fix the problem on a FreeBSD box before, so I'm still
>>> trying to ascertain the correct sysctl.conf directive
>>> (net.inet.tcp.rfc1323 = 0 is the correct fix from everything I've read).
>>> We plan on completely overhauling the firewall; it's just that up to
>>> this point it would mean a significant amount of downtime for the whole
>>> building while the firewall's operating system is replaced and
>>> recompiled. We only recently managed to afford the hardware for
>>> outfitting a secondary firewall box; once we set that up, when OJC moves
>>> out (freeing up the wattage in the server room, since we can't even
>>> squeeze one more box in there on the current circuit) we'll stick the
>>> second firewall in, bridge the connections across, then take out the
>>> first firewall for recompiling, thus minimizing downtime. I'm still
>>> trying to implement a fix, but at worst everything will work when we
>>> overhaul the network at the end of the month.
>>>
>>> Barry Isralewitz wrote:
>>>> On Fri, Aug 01, 2008 at 08:57:32PM -0500, Josh King wrote:
>>>>
>>>>> Hey Barry,
>>>>>
>>>>> Damn. I'm pretty certain that the thing I'm trying to fix (the size of
>>>>> the TCP packet frames) is the problem, since as it turns out the
>>>>> computer in the library has developed the same issue where it can't
>>>>> reach google, and the TCP frames is a familiar bugfix which eliminated
>>>>> the problem on the library computer. However, I've never had to
>>>>> implement that fix before on a FreeBSD computer. It may be that I have
>>>>> the option wrong. I'll look into it a little more and get back to you,
>>>>> sorry about that.
>>>> Thanks much for the work on this.
>>>>
>>>> Any chance this is a problem with a router setting in the building, and not
>>>> the FreeBSD machine? Quick test (which I wish I'd done the last time I was in
>>>> the IMC): unplug the RJ-45 from Bike Project machine (temporarily),
>>>> so you can plug it in a known-good laptop. If the laptop behaves the same way
>>>> as the Bike Project FeeBSD machine, (i.e. can reach everything except google),
>>>> might help figure out where the problem is. Apologies if you've already
>>>> thought of this ...
>>>>
>>>>
>>>> Cheers,
>>>>
>>>> Barry
>>>>
>>>>> Barry Isralewitz wrote:
>>>>>> Hi,
>>>>>>
>>>>>> On Fri, Aug 01, 2008 at 01:32:25PM -0500, Josh King wrote:
>>>>>>> Hey Barry,
>>>>>>>
>>>>>>> I forgot that your computer doesn't have sudo installed, so my account
>>>>>>> on there doesn't have administrative access. In any event, I believe
>>>>>>> that the fix is to add the line:
>>>>>>>
>>>>>>> net.inet.tcp.rfc1323 = 0
>>>>>>>
>>>>>>> to the end of the file /etc/sysctl.conf, and either restart the computer
>>>>>>> or run the command (as root) sysctl -f /etc/sysctl.conf
>>>>>>>
>>>>>>> If that works, then you can remove my account (`pw userdel jking` should
>>>>>>> work) and shut off sshd (change enable_sshd="YES" to enable_sshd="NO" in
>>>>>>> /etc/rc.conf, and run /etc/rc.d/sshd stop). Let me know whether this is
>>>>>>> successful.
>>>>>>> --
>>>>>>> Josh King
>>>>>> Thanks!
>>>>>>
>>>>>> I added above net.inet line and rebooted, but did not seem to help much...
>>>>>>
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Barry
>>>>>>> --
>>>>>>> josh at ucimc.org
>>>>>>> --
>>>>>>> System Administrator, Chambana.net (http://www.chambana.net)
>>>>>>> --
>>>>>>> "I am an Anarchist not because I believe Anarchism is the final goal,
>>>>>>> but because there is no such thing as a final goal." -Rudolf Rocker
>>>>>>>
>>>>>>>
>>>>>>
>>>>> --
>>>>> Josh King
>>>>> --
>>>>> josh at ucimc.org
>>>>> --
>>>>> System Administrator, Chambana.net (http://www.chambana.net)
>>>>> --
>>>>> "I am an Anarchist not because I believe Anarchism is the final goal,
>>>>> but because there is no such thing as a final goal." -Rudolf Rocker
>>>>>
>>>>>
>>>>
>>>>
>>> --
>>> Josh King
>>> --
>>> josh at ucimc.org
>>> --
>>> System Administrator, Chambana.net (http://www.chambana.net)
>>> --
>>> "I am an Anarchist not because I believe Anarchism is the final goal,
>>> but because there is no such thing as a final goal." -Rudolf Rocker
>>>
>>>
>>
>>
>> --
>> Barry Isralewitz, Ph. D.
>> Theoretical and Computational Biophysics Group,
>> University of Illinois at Urbana-Champaign
>> Beckman 3043 Phone: (217) 244-1612 Home Phone: (217) 337-6364
>> email: barryi at ks.uiuc.edu http://www.ks.uiuc.edu/~barryi
>
--
Josh King
--
"I am an Anarchist not because I believe Anarchism is the final goal,
but because there is no such thing as a final goal." -Rudolf Rocker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://lists.chambana.net/mailman/archive/imc-tech/attachments/20080905/281935b7/signature.pgp
More information about the IMC-Tech
mailing list